North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Wow, AS7007!

  • From: Dave Van Allen
  • Date: Fri Apr 25 17:49:10 1997

>-----Original Message-----
>From:	Stephen A Misel [SMTP:[email protected]]
>Sent:	Friday, April 25, 1997 12:53 PM
>To:	[email protected]
>Subject:	Wow, AS7007!
>I happened to be in one of our 7505 routers this afternoon when POP -- all
>of a sudden most of the internet disappeared!  I immediately thought it was
>me, but looked around and saw this AS7007 broadcasting MY routes!  
>Correct me if I'm wrong, but:
>	(1)  We're going to read about this in EVERY computer magazine, newspaper
>and TV as "the end of the internet?"
>Probably. It's newsworthy in that it punctuates the statement "Nearly anyone
>with a BGP router in hand can instantly core-dump the global routing tables"
>	(2)  Access lists by backbone providers *should* have prevented this.
>Mostly.  An ISP, whether large or small that BGP's with customers can indeed
>do distribute ACL's both on AS heard, and routes learned, including masks.
>You can easily re-announce or announce only what you want, or not announce or
>re-announce routes that are inconsistent with your policy or ACL's.
>	(3)  Does or does not the RADB and other routing registries (MCI's, etc)
>prevent this?
>It helps, but all you need are a few ingress' that do not filter and you can
>pollute enough of the core to hose it very nicely indeed.
>I bet this hole will be patched up real soon!
>I don't think so.  I'm not sure that this is as much a "hole" as it is a
>relationship and trust issue.  Right now, when things go OK, the routing
>policies on Net work pretty well.  Unarguably, they need refining, but
>all-in-all the Net still relies mostly on trust, as it has from the
>beginning.  If we simply take all trust away, then the current topology would
>not work, and may not be able to be made to work quickly enough, without even
>more disasters.
>This exact thing has happened before, and potentially will happen again
>because all it can take is one typo under 'router bgp xxxxx' at the right
>place, in the right network, and the Internet can go quickly to /dev/null.
>This is the trust factor.  We all rely on the fact that router-jocks won't
>typo, will filter where appropriate, and will educate rookies prior to
>whispering the enable passwd to them.
>A few things would help, IMO - All BGP should be authenticated, and all
>neighbors should be ACL'd.
>Now after spending 4 hours announcing more specifics to cover the bogon
>routes so we could play Internet today for a bit, it's time to be a
>good-netcitizen and see if I can't re-CIDR myself.  Then it's off to the
>Scotch locker! :-)
>Best regards,
>Dave Van Allen - You Tools Corporation/FASTNET(tm)
>[email protected] (610)289-1100
>FASTNET - PA/NJ/DE Business Internet Solutions
- - - - - - - - - - - - - - - - -